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“Cloud computing” is a new technology that revolutionized the world of 
communications and information technologies. It collects a large number of 
possibilities, facilities, and developments, and uses the combining of various 
earlier inventions into something new and compelling. Despite all features of 
cloud computing, it faces big challenges in preserving data confidentiality 
and privacy. It has been subjected to numerous attacks and security breaches 
that have prompted people to hesitate to adopt it. This article provided 
comprehensive literature on the cloud computing concepts with a primary 
focus on the cloud computing security field, its top threats, and the protection 
against each one of them. Data security/privacy in the cloud environment is 
also discussed and homomorphic encryption (HE) was highlighted as a 
popular technique used to preserve the privacy of sensitive data in many 
applications of cloud computing. The article aimed to provide an adequate 
overview of both researchers and practitioners already working in the field of 


cloud computing security, and for those new in the field who are not yet fully 
equipped to understand the detailed and complex technical aspects of cloud 
computing. 
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1. INTRODUCTION 

Nowadays the world is facing a new model of computing, on-demand computing, it is a cloud 
computing, where everything that a computer system can provide is provided as a service in a cloud model 
when connected to a network [1]-[3]. The National Institute of Standards and Technology (NIST) put a 
proper description to cloud computing: “Cloud computing is a model for supporting, convenient, on-demand 
network access to a shared group of configurable computing resources, like servers, networks, storage, 
services, and applications, that can be quickly provisioned and released with least management work or 
service provider contact” [4]-[8]. Cloud computing offers many advantages over the traditional computing 
systems, such as (but not limited): cost and time saving, scalability and flexibility, backup and recovery, 
resource maximization, mobile access, multi sharing and collaboration, customization and it removes initial 
capital investments and other pre-operational expenses (pay-as-per-use) [1], [4], [6], [9]-[12]. 
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2. The (5-4-3) CLOUD COMPUTING CONCEPTS 

As it explained above, the definition of cloud computing refers to different models and 
characteristics in it [5]. The 5-4-3 concepts put by NIST describe: (a) the five essential characteristics that 
boost cloud computing, (b) the four deployment models that are used to narrate the cloud computing 
opportunities for customers while looking at architectural models, and (c) the three important and basic 
service offering models of cloud computing [4], [5]. The (5-4-3) concepts are explained as followes: 


2.1. The five-essential characteristic 
The cloud computing has five essential characteristics, these characteristics are [2], [5], [7], [13]-[17]: 

— On-demand self-service: This characteristic enables the user to access cloud capabilities automatically at 
any time he/she wants if the connection to the network is available. 

— Broad network access: The cloud computing abilities are remaining available over the network. Every 
type of client platform may use them, if it has connected to the network. 

— Elastic resource pooling: All required resources (physical and virtual resources) are pooled dynamically 
according to the customers’ demands. 

— Rapid elasticity: According to the existing demands, the accessed capability can be quickly provision 
and released. 

— Measured service: Any usage of a cloud resource is measured. This may include monitor, control, and 
report providing transparency of resources for the consumer and provider together. 


2.2. The four models of deployment [6], [7], [13], [17], [18] 

The clud computing has four models of deployment, these models are: 

— Private cloud: Also called internal cloud [19]. The infrastructure is provisioned for special usage by a 
distinct organization involving multiple consumers (eg. business units) [5], [20]. This type of cloud may 
be managed, owned, and operated via the organization or a third party, sometimes via several of their 
combination [2], [14], [19], [21]-[23]. The private cloud can be classified into two types: on-premise 
private cloud (also called internal cloud) and externally hosted private cloud. The two types differ in 
hosted place. The first one is hosted within its own data center where the second is hosted within the 
cloud provider respectively [19], [22], [23]. 

— Public cloud: Here, the cloud provides its services to general users [23]. The public cloud provides its 
infrastructure for open usage [2], [5], [14]. It may be managed, owned, and operated by an academic, 
government organization, or business or several of their combination [4], [19]-[22]. 

— Community cloud: A cloud infrastructure that is shared by some organizations and supports a specific 
community, such as healthcare. The main target of this model of cloud deployment is to share the 
organization realizes the advantages of public and private clouds together [2], [4], [5], [14], [19]-[21]. 

— Hybrid cloud: here, the cloud infrastructure is a combination of two or more different cloud 
infrastructures (i.e. private, public, or community) that keep single entities, but are restricted with each 
other by standardized technology that allows application and data portability “at the same time the two 
kinds of clouds is used together to achieve specific job” [2], [4], [5], [14], [20]-[22]. Table 1 illustrates 
the advantages and disadvantages of the four modes of deployment with existing examples. 


2.3. The three important service models 
The clud computing has three important service models, these models are: 

— SaaS model: Software as a service, it defines a cloud service where customers can access any software 
applications executed on a cloud infrastructure [8], [16], [19]-[21]. SaaS has no primary setup cost, no 
cost of infrastructure maintenance, all updates are done automatically. On the other side, SaaS has the 
minimum consumer control on security that because the infrastructure and execution platform placed 
remote of the user [2], [4], [5], [14], [16]. 

— PaaS model: Platform as a service, it is a supplying of a computing platform via the network. PaaS is an 
integration of a cloud-based computing environment that assists the running, management, and 
development of applications control on the cloud infrastructure like network, servers, and storage. 
In [8], [14], [16]. Where the customers are allowed to have controls over the deployed applications. PaaS 
model present high extensibility with greater consumer control on security compared with SaaS but less 
than IaaS [2], [4], [5], [16], [19]-[21]. 

— JaaS model: Infrastructure as a service, is the virtual allocation of computing resources (hardware, 
networking as well as storage services). The infrastructure is controlled completely by the cloud service 
providers (CSP) [2], [5], [8], [21]. Therefore, IaaS give a greater security control in the client's if 
compared with SaaS and PaaS models [4], [14], [16], [19], [20]. 
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NIST also defines reference architecture which is intended to simplify the understanding of the 
operational complexity in cloud computing. Its target is to describe, discuss, and develop a system-specific 
architecture [5]. The reference architecture defines five main actors in the relation to the responsibilities and 
roles. These actors are: cloud consumer, cloud provider, cloud auditor, cloud broker, and cloud carrier [5], [24]. 


Table 2 illustrates the responsibilities of each actor [24]. 


Table 1. The advantages/disadvantages of cloud deployment models 








Cloud model Advantage Disadvantage An example 
Private cloud More customization. High costs that devoted in a private cloud Eucalyptus 

Higher security/privacy. infrastructure Ubuntu Enterprise Cloud 

Enhanced reliability On site maintain. Amazon VPC 

Greater control over the server. Capacity ceiling VMware Cloud Infrastructure 

Higher performance. Suite 

Microsoft ECI data center 

Public cloud Reduces time to develop new Higher security risks Google App Engine 


products 

Cost effectiveness 

No contract (Pay-as-you-go) 
Ensures scalability/ reliability 
No user maintenance effort 


Network performance may be suffering 
instabilities. 


Slow speed depending on internet quality. 


Lack of customization. 
Lack of investment 


Microsoft Window Azure 
IBM smart cloud 
Amazon EC2 











Community Compromise data security and Costs higher than public cloud. PaaS includes Microsoft Azure 
cloud privacy. Share fixed amount of bandwidth/data Platform 
Flexibility and Scalability storage among all members. Google App Engine 
Improved Services 
Available and Reliable 
Cheaper than private cloud 
Hybrid cloud Optimal utilization More maintenance Microsoft Hybrid Cloud (Azure) 
Flexibility High initial costs VMware Hybrid Cloud 
Control the resources allocated Challenging on data and application Amazon Web Services (AWS) 
Cost-effectiveness integration Cloud 
Data center consolidation Rackspace Hybrid Cloud 
EMC Hybrid Cloud, HP Hybrid 
Cloud 
Table 2. The cloud computing actors with their responsibilities 
The actor Definition Responsible to secure: 
Cloud Who (person/organization) preserves the business relations with Cloud — Cloud Consumption Management. 
Consumer Providers, and utilizes service from him. — Cloud Ecosystem Orchestration. 
— Functional Layers. 
Cloud A (person/organization/entity) ensures an available service for interested | — Cloud Service Management. 
Provider parties. — Cloud Ecosystem Orchestration. 
Cloud A party who can conduct a separate estimation of cloud services, — The Auditing Environment. 
Auditor performance, information system operations, and security of 
implementation in the cloud. 
Cloud A party who control the usage, performance and delivery of services in — Cloud Service Management. 
Broker the cloud, and negotiates relationships between cloud consumers and — Cloud Ecosystem Orchestration. 
cloud providers. — Service Intermediation. 
— Service Arbitrage. 
Cloud An intermediate party that supplies connectivity and transmission of cloud — The data transmission to/ from a cloud 
Carrier services (from CPS to Cloud Consumers). environment. 





3. SECURITY INCLOUD COMPUTING 
Security is a major requirement of many researchers, anyone how interested in can find a lot of 


papers that focus on this field, for example see [25]-[31]. At the same time, security and privacy concerns are 
the main issues that prevent wide acceptance of cloud concepts [3], [32] where switching to a commercial 
public cloud reduces direct control of systems that manage reliable data and applications [7]. Figure 1 
illustrates the differences between traditional security and cloud security. 

According to a survey by Gartner, 70% of users do not use cloud computing services because of data 
security and privacy concerns [6]. These users are not ready to dump their infrastructure and move to the 
cloud, where their data is kept remotely. They know that their sensitive data remains under cloud control only 
and not by them [6], [7], [12], [21], [33]. For this reason, cloud security and privacy should be a major 
concern in the cloud scenario. It is worth noting that cloud computing has many essential security issues 
when using its services, such as outsourcing, system monitoring and access control, massive data, and intense 
computation and multi-tenancy issues [9], [15]. 
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4. TOP CLOUD SECURITY THREATS 

The cloud security alliance (CSA) defines a list of the topmost organizations of security threats that 
face when trying to use cloud services. As this list defined, the top security threats summarized the concerns 
which can be taken into consideration (by cloud security organization) in order to utilize the advantage of 
cloud computing as more as possible, without falling in the drawbacks that cloud-based systems have [11], 
[33], [34]. The top cloud security threats explained in Table 3 [2], [6], [7], [34]-[36] where Table 4 explains 
the analysis of them [34]. 





Figure 1. The differences between traditional security and cloud security 


Table 3. The top cloud security threats 








Threats Description Protection 

Data breaches Caused by authentication weakness Use more than one factor of encryption and 
authentication 

Broken Appears when trying to assign suitable permissions Using multi-factor authentication systems 

authentication and for user’s job role 

credentials 

Hacked interfaces An attacker utilizes a cloud API to grant access to the Interfaces must be designed to protect against both 

and APIs resources of cloud accidental and malicious attempts to circumvent 
policy 

Exploited system Exploitable bugs in programs are used to penetrate a Using the best practices in order to discover potential 

vulnerabilities computer system to damage service operations, steal vulnerabilities and manage the discovered problems 

data or take control of the system rapidly 
Account hijacking Attackers may occupy the control of legitimate users’ Using multi-factor authentication with evasion of 


Malicious insiders 
Advanced persistent 
threat (APT) 
Constant data loss 
DoS attacks 

Shared Technology 
Vulnerabilities 
Cloud service abuses 


Inadequate due 
diligence 


account 
An insider can manipulate data or damage the whole 
infrastructures of cloud 


Penetrates cloud systems and remain hidden and 
persistently doing their activities for a long-time 
interval 

delete data constantly 


Effects the availability of a system 
consumes processing power and up the bandwidth 


As a result of resource sharing in the cloud, one 
vulnerability can produce a compromise across an 
entire provider’s cloud. 

Malicious actors can use cloud computing resources 
to target fashion, organizations, or other CSP 


Caused by a weak technical efficiency of the 
development group 


account credentials sharing 

Control the encryption operation and keys, separate 
jobs and reduce access given to users, Active logging 
and auditing administrator activities 

Advanced security controls, frequent infrastructure 
monitoring and rigid process management 


Different levels of backup and data distribution 

key management 

Detection is needed, prepare the key of DoS 
mitigating, access resources which can be used as 
mitigation immediately. 
Keeping shared resources 
authentication on all hosts, 
System, and segmentation 

A CSP must have a response scope to handle misuse 
of resources, a means for consumers to report any 
abuse produced from a CSP. 

Enterprises should review accreditations and 
standards gained by CSPs including ISO 9001, DCS, 
PCI, and HIPAA. 


patched, multi-factor 
Intrusion Detection 
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Table 4. The cloud threats analysis 








Spoofing Tampering with het Information Denial of Elevation of 

Threat Identity data Repudiation Disclosure Service Privilege 
Data Breaches V 
Broken authentication and y y V V V V 
credentials 
Hacked interfaces/ APIs y V V V 
Exploited system V V V V V V 
vulnerabilities 
Account hijacking V V V V V V 
Malicious insiders y y V 
APT V V 
Constant data loss V V 
DoS attacks V 
Shared Technology V V 
Vulnerabilities 
Cloud Service abuses V 
Inadequate Due diligence V V V N N N 





5. CLOUD DATA SECURITY AND PRIVACY 
5.1. Cloud data security 

The security of data in the cloud is more complex than traditional systems [4]. However, any cloud 
must be in a trustworthy environment in order to gain user confidence to adopt this technology [2], [21]. 
There’re lots of security concerns related to cloud computing, these issues collapse into two types [37]: 

— Cloud service provider’s security issues. 
— The customer’s security issues. 

However, in order to offer reliable services, the cloud providers should confirm the security of their 
infrastructure, so their clients’ applications and data are secured and stay integrated. Simultaneously, the user 
should apply measures to reinforce their application and use robust passwords/authentication methods [37]. 
In the environment of cloud computing, data security is a combination of three concepts, called the CIA 
triangle which consists of: confidentiality, integrity, and availability [3], [14], [38]. 


5.1.1. Cloud data confidentiality 

The main concerns respected with cloud computing is cloud confidentiality. In cloud computing, it 
can be defined as “the process of keeping the computation jobs and customer’s data private to both cloud 
provider and other customers” [2], [15], [18], [21], [38]. Confidentiality must be assured in the cloud 
environment, because of the fact that the data of a user are saved remotely and all computations which 
applied to them are controlled by the cloud provider, [15], [21], [38]. Various approaches proposed to keep 
data confidentiality in cloud computing environment such as RSA, DES, SDES, SSL 128-bit encryption, 
mixed encryptions algorithms, RC5, RBE, and AES [39]. 


5.1.2. Cloud data integrity 

Integrity in the cloud environment involves both of integrity of data and integrity of 
computations [2], [18], [40]. Where data integrity guarantees that user's data are stored inside the cloud providers 
ina fidelity way without any modification and any violations if occur must be detected [15], [18], [40]. On another 
side, computation integrity is a concept of executing the programs without being deformed by cloud 
providers, malware, or any else of malicious users and detect any incorrect computing [21], [38]. One of the 
most important methods used to achieve cloud data integrity is the hash algorithm [41]. 


5.1.3. Cloud data availability 

The term data availability means the degree to which user’s data can be recovered or used (if there is 
an event of any hard disk damage or failure) and how to confirm user data by technology rather than relying 
on the credit guarantee via the CPS only [2], [21], [42], [43]. Availability is a very important concern since 
the essentiality task of cloud computing is providing on-demand service at different levels. If a particular 
service isn't available or its quality can't meet the service level agreement (SLA), any customers may forfeit 
trust in the cloud systems [15], [21], [42], [43]. 

Usually, cloud providers achieve delivering highly available services, but outages and failures are 
something they have to face at any time. Failures that might happen include, but are not bound, to the 
following: human mistakes, network vulnerability, server, storage, or power failures. The suggested solutions 
to recover from some of the outages are high quality and the organized maintenance of the hardware 
component, data redundancy, failure detection, backup, infrastructure scalability, and redundant 
architecture [44]. 
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5.2. Cloud data privacy 

Privacy is the capability of individuals or groups to isolate themselves or their information from 
their selves then reveal them in a selective way [6], [21]. In cloud systems, when users want to see sensitive 
data, privacy has appeared here obviously. The cloud services must have the ability to inhibit possible 
adversaries from deducing the behavior of the user by the user’s visit model [6], [21]. The meaning of 
privacy in cloud computing is divided into two categories: data privacy and computation privacy [15]. 

There are many cryptography procedures which are utilized to keep the privacy of the information in 
order to secure huge information examination in the cloud, such as, homomorphic encryption (HE), verifiable 
computation (VC), multiparty computation (MPC) [45]. Table 5 explains the main data security aspects in 
cloud computing, with their possible threats and Defense strategies (for more details see [15]). Where 
Figure 2 shows the number of noticed research papers written about cloud security and privacy topics in the 
last five years. 


Table 5. The main data security aspects in cloud computing 








Security aspect Threats Defense strategies 
Confidentiality — Cross VM attack — Placement Prevention 
— Malicious sysAdmin — Co-residency Detection 
— NoHype 


— Trusted Cloud Computing Platform 
— retaining data control back to customer 


Integrity — Data loss/manipulation — Provable Data Possession (PDP) 
— Dishonest computation in remote servers — Third Party Auditor 
— Combating dishonest computing 
Availability — Flooding Attack via Bandwidth Starvation — defending the new DOS attack 
— Fraudulent Resource Consumption (FRC) attack — FRC attack detection 
Privacy Same of cloud confidentiality threats — Information centric security 


— Trusted computing 
— Cryptographic protocols (Homomorphic Encryption (HE)) 





~ cloud security 
Ty PF M cloud privacy 


2016 2017 2018 





f 


2019 2020 
Figure 2. A statistic of the number of published researches in the last five years 


6. HOMOMORPHIC ENCRYPTION 

Homomorphic encryption (HE) gives a great asset to ensure users’ privacy in a cloud computing 
environment. It is a mathematical model, developed in 1978 from the privacy homomorphism 
concept [46], [47]. It is one of the most popular schemas which are currently focused by computer science 
researchers in order to achieve the confidentiality of data [47]. Its importance came due to allowing transfer, 
store, and process the encrypted data securely because it permits encrypted data to be calculated without 
being decrypted [46], [48], [49]. It converts plaintext to cipher one which can be used and analyzed as if it 
were in its original form yet [38]. 


6.1. Definition 

Like any encryption schema, HE includes four functions when applying it, these functions are key 
generation, encryption, evaluation, and decryption [49], [50]. Mathematically, HE means translation of one 
data set to an alternative one, without losing its relation between them [17]. 
Let (P; C; K; E; D) be an encryption method, where [46]: 
P& C are the plaintext and ciphertext, respectively 
K is the key (secret or public key depending on the type of cryptosystem) 
E&D are the encryption and decryption algorithms. Suppose that the plaintexts compose a group (P30), and 
the ciphertexts produce a group (C; ©), consequently, the encryption algorithm E is a map from the group P to 
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the group C [46], [51]. An encryption schema is Homomorphic encryption if [46]. For all a and b in P and k 
in K: 


Ep (a)°Ek(b) = Ex (a 0 b) (1) 


Last years, HE usage in a cloud computing environment is spread widely due to its ability to 
perform arithmetic operations on encrypted texts without the need for a decryption key so that the results are 
exactly the same as if they were performed on the explicit text. Now, the provider can apply any computation 
operation on stored decrypted data of the user without any need for the key. This will gain both of consumer 
trust and ensure data privacy [8], [46], [52]. Figure 3 illustrates how dealing with encrypted data in cloud 
computing using homomorphic encryption [8], [49], [53]. 















5. REQUEST F(4.8) Cloud Provider 
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| 6. Evi 
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1. KEY GEWERATION EUCRYPTED 
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8. DECRYPTION CLOUD SEDVED DEREN 


Figure 3. Applying homomorphic encryption to the cloud computing 


6.2. Categories 
HE has been classified into three types depending on the number of mathematical operations that 
can be performed. These types are [46], [49], [50], [53], [54]: 
— Partial HE: Performs addition or multiplication operation (not both). 
— Somewhat HE: Performs a bounded number of addition and multiplication operations. 
— Fully HE: Can perform both addition and multiplication operations together. 
Table 6 explains the difference between partial and fully homomorphic encryption [54]. 


Table 6. The difference between partial and fully homomorphic encryption 








Parameter Partial HE Fully HE 
Type of operation Either addition or multiplication Both 
Computation Limited number of computations Unlimited 
Computational efforts Requires less effort Requires more effort 
Performance Faster and more compact Slower 
Versatility Low High 
Ciphertext size Small Large 
Example Unpadded RSA, ElGamal Gentry Scheme 





6.3. Properties 

In general, HE has two properties that appear when applying its schemas. According to these 
properties, HE can classify into two categories [49], [51], [54], [55]: 
— Additive homomorphic encryption: HE is classified as an additive if: 


Enc(x@® y)= Enc(x) ® Enc(y) (2) 

Enc (Xi-1M;) = [Ii Enc(m,) (3) 
— Multiplicative Homomorphic Encryption: A Homomorphic encryption is a multiplicative, if: 

Enc(x® y)= Enc(x) ® Enc(y) (4) 


Enc([i=1 m;i) = Mi- Enc(m;) (5) 
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According to the above definitions, many encryption algorithms classified as HE schema. Table 7 illustrates 
some of them with their related Homomorphic property [47], [49], [53]. 


Table 7. Homomorphic encryption schemes 








Scheme year Properties Type Algorithm Security Assumption 
RSA 1978 Multiplicative Partial Asymmetric Factorization 
Goldwasser Micali 1982 XOR Partial Asymmetric Quadratic residuosity problem 
Elgaml 1985 Multiplicative Partial Asymmetric Diffi-Hellman problem 
Okamoto uchiyama 1998 Additive Partial Asymmetric P-subgroup assumption 
Paillier 1999 Additive Partial Asymmetric Decisional Composite Residuosity 
Assumption 
Boneh-Goh-Nissim 2005 Additions (Unlimited) Some what Symmetric Subgroup decision problem 
Multiplication (only one) 
Gentry 2009 Fully fully Asymmetric Sparse Subset Sum (SSSP) assumption 





7. CONCLUSION 

Currently, cloud computing became the most important thing for many people. They use it in their 
daily lives and businesses to ensure they get the time, effort, cost, and keep data in a place that they can 
access from their device anywhere if a network connection is possible. With all of the facilities provided by 
cloud computing, except it faced many security challenges in different directions, which made the security of 
the cloud one of the most significant things associated with it in order to gain people's trust and attract them 
to the use of the cloud services continuously. Therefore, the cloud must be more and more secure in many 
directions (such as data storage, network). One of these important requirements is preserving privacy in the 
cloud. Homomorphic Encryption is a famous method that used to ensure the privacy of cloud data due to its 
feature which makes it easy to perform arithmetic operations on encrypted data without the need for a 
decryption key. 
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